[go: up one dir, main page]

CN103077331B - A digital resource protection method and related device - Google Patents

A digital resource protection method and related device Download PDF

Info

Publication number
CN103077331B
CN103077331B CN201310043364.3A CN201310043364A CN103077331B CN 103077331 B CN103077331 B CN 103077331B CN 201310043364 A CN201310043364 A CN 201310043364A CN 103077331 B CN103077331 B CN 103077331B
Authority
CN
China
Prior art keywords
user
index value
digital resource
digital
registered user
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201310043364.3A
Other languages
Chinese (zh)
Other versions
CN103077331A (en
Inventor
王艺
关新
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
I Patrol Technology Ltd
Original Assignee
I Patrol Technology Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by I Patrol Technology Ltd filed Critical I Patrol Technology Ltd
Priority to CN201310043364.3A priority Critical patent/CN103077331B/en
Priority to PCT/CN2013/073039 priority patent/WO2014117428A1/en
Publication of CN103077331A publication Critical patent/CN103077331A/en
Priority to US14/705,219 priority patent/US10102353B2/en
Application granted granted Critical
Publication of CN103077331B publication Critical patent/CN103077331B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3226Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
    • GPHYSICS
    • G09EDUCATION; CRYPTOGRAPHY; DISPLAY; ADVERTISING; SEALS
    • G09CCIPHERING OR DECIPHERING APPARATUS FOR CRYPTOGRAPHIC OR OTHER PURPOSES INVOLVING THE NEED FOR SECRECY
    • G09C1/00Apparatus or methods whereby a given sequence of signs, e.g. an intelligible text, is transformed into an unintelligible sequence of signs by transposing the signs or groups of signs or by replacing them by others according to a predetermined system
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/10Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
    • G06F21/101Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM] by binding digital rights to specific entities
    • G06F21/1015Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM] by binding digital rights to specific entities to users
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2107File encryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/60Digital content management, e.g. content distribution
    • H04L2209/603Digital right managament [DRM]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Storage Device Security (AREA)
  • Software Systems (AREA)
  • Computer Hardware Design (AREA)
  • Technology Law (AREA)
  • General Engineering & Computer Science (AREA)
  • Multimedia (AREA)

Abstract

The embodiment of the invention discloses a digital resource protection method and a related device, wherein a digital resource protection device comprises: a configuration module for configuring N secret index values corresponding to digital resources to be encrypted, wherein N is greater than 0; and the digital logic control module is used for taking any one or more of the N secret index values and the digital resources as input parameters of a preset digital logic circuit and carrying out logic encryption on the digital resources through the preset digital logic circuit. The technical scheme provided by the embodiment of the invention can effectively improve the safety of digital resource protection.

Description

一种数字资源保护方法及相关装置A digital resource protection method and related device

技术领域technical field

本发明涉及数字资源领域,尤其涉及一种数字资源保护方法及相关装置。The present invention relates to the field of digital resources, in particular to a digital resource protection method and a related device.

背景技术Background technique

数字资源包括用数字化技术生成、制作、管理、传播、运营和消费的文化内容产品及服务,如数字媒体,计算机软件,电子服务,设备使用权限保护条款等。Digital resources include cultural content products and services that are generated, produced, managed, disseminated, operated, and consumed with digital technologies, such as digital media, computer software, electronic services, and equipment use rights protection clauses, etc.

目前,使用内容数字版权加密保护(DRM,DigitalRightsManagement)系统对数字资源进行保护和授权。DRM技术的工作原理是,首先建立数字资源授权中心,编码压缩后的数字资源可以利用密钥进行加密保护,加密的数字资源头部存放着密钥标识和数字资源授权中心的统一资源定位符(URL,UniversalResourceLocator)信息。用户在点播时,根据数字资源头部的密钥标识和URL信息与数字资源授权中心进行验证授权,验证授权通过后,用户即可通过数字资源授权中心送出的密钥对点播的数字资源进行解密并播放该数字资源。Currently, digital resources are protected and authorized using a content digital rights encryption protection (DRM, Digital Rights Management) system. The working principle of DRM technology is to first establish a digital resource authorization center, and the coded and compressed digital resources can be encrypted and protected with a key, and the encrypted digital resource head stores the key identifier and the uniform resource locator of the digital resource authorization center ( URL, UniversalResourceLocator) information. When ordering, the user will verify and authorize with the digital resource authorization center according to the key identification and URL information in the header of the digital resource. After the verification and authorization pass, the user can decrypt the digital resource on demand through the key sent by the digital resource authorization center. and play the digital resource.

由于DRM系统使用密钥对数字资源进行加密后发行,当解密的密钥在发送给用户时,一旦被黑客获得密钥,即可方便解密该媒体文件,可见,目前通过DRM系统对数字资源进行保护存在一定的安全隐患,容易导致媒体文件被盗、版权丢失等问题。Since the DRM system uses a key to encrypt digital resources and issue them, when the decrypted key is sent to the user, once the key is obtained by a hacker, the media file can be easily decrypted. It can be seen that the digital resources are currently protected through the DRM system. There are certain security risks in the protection, which can easily lead to problems such as theft of media files and loss of copyright.

发明内容Contents of the invention

本发明实施例提供了一种数字资源保护方法及相关装置,用于提高对数字资源保护的安全性。The embodiment of the present invention provides a digital resource protection method and a related device, which are used to improve the security of digital resource protection.

为解决上述技术问题,本发明实施例提供以下技术方案:In order to solve the above technical problems, embodiments of the present invention provide the following technical solutions:

一种数字资源保护设备,包括:A digital resource protection device, comprising:

用于配置与需要加密的数字资源对应的N个秘保索引值的配置模块,其中,上述N大于0;A configuration module for configuring N secret protection index values corresponding to digital resources that need to be encrypted, wherein the above-mentioned N is greater than 0;

用于将上述N个秘保索引值中的任意一个或者多个,和上述数字资源作为预设的数字逻辑电路的输入参数,通过上述预设的数字逻辑电路对上述数字资源进行逻辑加密的数字逻辑控制模块。The number used to logically encrypt the above-mentioned digital resources through the above-mentioned preset digital logic circuit using any one or more of the above-mentioned N secret protection index values and the above-mentioned digital resources as input parameters of the preset digital logic circuit Logic control module.

一种数字资源使用设备,包括:A device for using digital resources, comprising:

获取模块,用于获取注册用户的授权信息,其中,上述授权信息为数字资源保护设备将上述注册用户的用户特征信息与N个秘保索引值中的一个秘保索引值进行绑定生成,上述数字资源保护设备将上述N个秘保索引值中的任意一个或者多个,和数字资源作为预设的数字逻辑电路的输入参数,通过预设的数字逻辑电路对上述数字资源进行逻辑加密;The obtaining module is used to obtain the authorization information of the registered user, wherein the above authorization information is generated by binding the user characteristic information of the above registered user with one of the N secret protection index values by the digital resource protection device, and the above The digital resource protection device uses any one or more of the above-mentioned N secret protection index values and digital resources as input parameters of a preset digital logic circuit, and logically encrypts the above-mentioned digital resources through the preset digital logic circuit;

第一特征采集模块,用于采集上述注册用户输入的用户特征信息;The first feature collection module is used to collect the user feature information input by the registered user;

第一解密模块,用于根据上述第一特征采集模块采集的上述注册用户输入的用户特征信息以及上述获取模块获取到的授权信息得到与上述注册用户绑定的秘保索引值;The first decryption module is used to obtain the secret security index value bound to the above-mentioned registered user according to the user characteristic information input by the above-mentioned registered user collected by the above-mentioned first characteristic collection module and the authorization information obtained by the above-mentioned acquisition module;

第二解密模块,用于将上述第一解密模块得到的秘保索引值和上述数字资源的加密数据作为上述数字逻辑电路的输入参数,通过上述数字逻辑电路对上述加密数据进行逻辑解密,以得到上述数字资源。The second decryption module is configured to use the secret index value obtained by the first decryption module and the encrypted data of the digital resource as input parameters of the digital logic circuit, and logically decrypt the encrypted data through the digital logic circuit to obtain digital resources above.

一种数字资源保护方法,包括:A digital resource protection method, comprising:

配置与需要加密的数字资源对应的N个秘保索引值,其中,上述N大于0;Configure N secret protection index values corresponding to the digital resources that need to be encrypted, wherein the above N is greater than 0;

将上述N个秘保索引值中的任意一个或者多个,和上述数字资源作为预设的数字逻辑电路的输入参数,通过上述预设的数字逻辑电路对上述数字资源进行逻辑加密。Using any one or more of the above-mentioned N security index values and the above-mentioned digital resources as input parameters of a preset digital logic circuit, logically encrypt the above-mentioned digital resources through the above-mentioned preset digital logic circuit.

一种数字资源保护方法,包括:A digital resource protection method, comprising:

获取注册用户的授权信息,其中,上述授权信息为数字资源保护设备将上述注册用户的用户特征信息与N个秘保索引值中的一个秘保索引值进行绑定生成,上述数字资源保护设备将上述N个秘保索引值中的任意一个或者多个,和数字资源作为预设的数字逻辑电路的输入参数,通过预设的数字逻辑电路对上述数字资源进行逻辑加密;Obtain the authorization information of the registered user, wherein the above authorization information is generated by binding the user characteristic information of the above registered user with one of the N secret security index values by the digital resource protection device, and the above digital resource protection device will Any one or more of the above-mentioned N secret protection index values, and the digital resources are used as input parameters of the preset digital logic circuit, and the above-mentioned digital resources are logically encrypted through the preset digital logic circuit;

采集上述注册用户输入的用户特征信息;Collect the user characteristic information input by the above-mentioned registered users;

根据上述采集的上述注册用户输入的用户特征信息以及上述授权信息得到与上述注册用户绑定的秘保索引值;Obtain the secret security index value bound to the above-mentioned registered user according to the above-mentioned collected user characteristic information input by the above-mentioned registered user and the above-mentioned authorization information;

将上述与上述注册用户绑定的秘保索引值和上述数字资源的加密数据作为上述数字逻辑电路的输入参数,通过上述数字逻辑电路对上述加密数据进行逻辑解密,以得到上述数字资源。The secret index value bound to the registered user and the encrypted data of the digital resource are used as input parameters of the digital logic circuit, and the encrypted data is logically decrypted by the digital logic circuit to obtain the digital resource.

由上可见,本发明实施例中将与需要保密的数字资源对应的秘保索引值作为数字逻辑电路的输入参数,并通过预设的数字逻辑电路对该数字资源进行逻辑加密,由于不同的数字逻辑电路在输入参数相同的情况下,对相同数据进行加密后得到的结果也不同,因此,即使黑客通过破译手段得到与上述数字资源对应的秘保索引值,也因难以获得加密该数字资源所使用的预设的数字逻辑电路而无法对上述数字资源进行解码和使用,极大提高了对数字资源保护的安全性。It can be seen from the above that in the embodiment of the present invention, the security index value corresponding to the digital resource that needs to be kept secret is used as the input parameter of the digital logic circuit, and the digital resource is logically encrypted through the preset digital logic circuit. When the input parameters of the logic circuit are the same, the results obtained after encrypting the same data are also different. Therefore, even if the hacker obtains the secret security index value corresponding to the above-mentioned digital resource through deciphering means, it is difficult to obtain the encrypted digital resource. The preset digital logic circuit used cannot decode and use the above-mentioned digital resources, which greatly improves the security of digital resource protection.

附图说明Description of drawings

为了更清楚地说明本发明实施例或现有技术中的技术方案,下面将对实施例或现有技术描述中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图仅仅是本发明的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动性的前提下,还可以根据这些附图获得其他的附图。In order to more clearly illustrate the technical solutions in the embodiments of the present invention or the prior art, the following will briefly introduce the drawings that need to be used in the description of the embodiments or the prior art. Obviously, the accompanying drawings in the following description are only These are some embodiments of the present invention. For those skilled in the art, other drawings can also be obtained according to these drawings without any creative effort.

图1为本发明提供的一种数字资源保护设备一个实施例结构示意图;FIG. 1 is a schematic structural diagram of an embodiment of a digital resource protection device provided by the present invention;

图2为本发明提供的一种数字资源保护设备另一个实施例结构示意图;Fig. 2 is a schematic structural diagram of another embodiment of a digital resource protection device provided by the present invention;

图3为本发明提供的一种数字资源保护方法一个实施例流程示意图;FIG. 3 is a schematic flowchart of an embodiment of a digital resource protection method provided by the present invention;

图4为本发明提供的一种数字资源保护方法另一个实施例流程示意图;FIG. 4 is a schematic flowchart of another embodiment of a digital resource protection method provided by the present invention;

图5为本发明提供的一种数字资源使用设备一个实施例流程示意图;Fig. 5 is a schematic flowchart of an embodiment of a device for using digital resources provided by the present invention;

图6为本发明提供的一种数字资源保护方法再一个实施例流程示意图。FIG. 6 is a schematic flowchart of another embodiment of a digital resource protection method provided by the present invention.

具体实施方式detailed description

本发明实施例提供了一种数字资源保护方法及相关装置。The embodiment of the present invention provides a digital resource protection method and a related device.

为使得本发明的发明目的、特征、优点能够更加的明显和易懂,下面将结合本发明实施例中的附图,对本发明实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例仅仅是本发明一部分实施例,而非全部实施例。基于本发明中的实施例,本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其他实施例,都属于本发明保护的范围。In order to make the purpose, features and advantages of the present invention more obvious and understandable, the technical solutions in the embodiments of the present invention will be clearly and completely described below in conjunction with the accompanying drawings in the embodiments of the present invention. Obviously, the described The embodiments are only some of the embodiments of the present invention, but not all of them. Based on the embodiments of the present invention, all other embodiments obtained by persons of ordinary skill in the art without making creative efforts belong to the protection scope of the present invention.

下面对本发明实施例的一种数字资源保护设备进行描述,请参与图1,本发明实施例中的数字资源保护设备100,包括:A digital resource protection device in the embodiment of the present invention is described below, please refer to FIG. 1 , the digital resource protection device 100 in the embodiment of the present invention includes:

用于配置与需要加密的数字资源对应的N个秘保索引值的配置模块101,其中,上述N大于0。A configuration module 101 for configuring N secret index values corresponding to digital resources that need to be encrypted, wherein the above-mentioned N is greater than 0.

用于将上述N个秘保索引值中的任意一个或者多个和上述数字资源作为数字逻辑电路的输入参数,通过上述数字逻辑电路对上述数字资源进行逻辑加密的数字逻辑控制模块102。A digital logic control module 102 configured to use any one or more of the above-mentioned N secret index values and the above-mentioned digital resources as input parameters of the digital logic circuit, and perform logical encryption on the above-mentioned digital resources through the above-mentioned digital logic circuit.

在本发明实施例中,配置模块101可以根据上述数字资源的发行量确定N的取值,N可以等于上述数字资源的发行量,或者N也可以大于上述数字资源的发行量,此处不作限定。In the embodiment of the present invention, the configuration module 101 can determine the value of N according to the circulation of the above-mentioned digital resources, and N can be equal to the circulation of the above-mentioned digital resources, or N can also be greater than the circulation of the above-mentioned digital resources, which is not limited here .

在一种实现方式中,数字逻辑控制模块102中包含数字逻辑电路,数字逻辑控制模块102通过将配置模块101配置的N个秘保索引值中的任意一个和上述数字资源作为上述数字逻辑电路的输入参数,通过上述数字逻辑电路对上述数字资源进行逻辑加密,得到的加密数据可能随着输入的秘保索引值的不同而不同。In one implementation, the digital logic control module 102 includes a digital logic circuit, and the digital logic control module 102 uses any one of the N security index values configured by the configuration module 101 and the above-mentioned digital resources as the key of the above-mentioned digital logic circuit. The input parameters are used to logically encrypt the above-mentioned digital resources through the above-mentioned digital logic circuit, and the obtained encrypted data may be different according to the input secret security index value.

在另一种实现方式中,数字逻辑控制模块102中包含数字逻辑电路,数字逻辑控制模块102可以通过将一个秘保索引值集合和上述数字资源作为上述数字逻辑电路的输入参数,通过上述数字逻辑电路对上述数字资源进行逻辑加密,则得到的加密数据对秘保索引值集合中的每一个秘保索引值都是相同的。这有一个好处,在数字资源的授权分发和传递中,只有一个加密数据,且对所有的权限使用者都是一样的,便于控制和提高效率。其中,上述秘保索引值集合包含配置模块101配置的N个秘保索引值中的M个秘保索引值,其中,M大于1且小于或等于N。In another implementation, the digital logic control module 102 includes a digital logic circuit, and the digital logic control module 102 can use a set of security index values and the above-mentioned digital resources as the input parameters of the above-mentioned digital logic circuit, through the above-mentioned digital logic The circuit performs logical encryption on the above-mentioned digital resources, and the obtained encrypted data is the same for each secret index value in the secret index value set. This has the advantage that in the authorized distribution and transfer of digital resources, there is only one encrypted data, and it is the same for all authorized users, which is convenient for control and improves efficiency. Wherein, the aforementioned set of secret security index values includes M secret security index values among the N secret security index values configured by the configuration module 101, wherein M is greater than 1 and less than or equal to N.

需要说明的是,本发明实施例中的数字资源可以是数字媒体(如文字、图形、图像、音频和视频等数字类型中的一种或者多种的结合),计算机软件,电子服务,设备使用权限保护条款等,此处不作限定。It should be noted that the digital resources in the embodiments of the present invention can be digital media (such as text, graphics, images, audio and video and other digital types or a combination of multiple types), computer software, electronic services, equipment used Rights protection terms, etc., are not limited here.

由上可见,本发明实施例中将与需要保密的数字资源对应的秘保索引值作为数字逻辑电路的输入参数,并通过预设的数字逻辑电路(如版权发行人设定的数字逻辑电路)对该数字资源进行逻辑加密,由于不同的数字逻辑电路在输入参数相同的情况下,对相同数据进行加密后得到的结果也不同,因此,即使黑客通过破译手段得到与上述数字资源对应的秘保索引值,也因难以获得加密该数字资源所使用的预设的数字逻辑电路而无法对上述数字资源进行解码和使用,极大提高了对数字资源保护的安全性。It can be seen from the above that in the embodiment of the present invention, the security index value corresponding to the digital resource that needs to be kept secret is used as the input parameter of the digital logic circuit, and the preset digital logic circuit (such as the digital logic circuit set by the copyright issuer) Logically encrypt the digital resources, because different digital logic circuits can obtain different results after encrypting the same data under the same input parameters. Therefore, even if hackers obtain the secret protection corresponding to the above digital resources The index value, because it is difficult to obtain the preset digital logic circuit used to encrypt the digital resource, makes it impossible to decode and use the above digital resource, which greatly improves the security of digital resource protection.

在本发明的另一个实施例中,数字资源保护设备100进一步还可提供对已加密的数字资源的授权机制,以应用于数字资源的发行中。在本发明实施例中,可以事先将N个秘保索引值和N个特定用户捆绑,数字逻辑控制模块102可以通过将配置模块101配置的N个秘保索引值的一个子集合G和上述数字资源作为上述数字逻辑电路的输入参数,通过上述数字逻辑电路对上述数字资源进行逻辑加密,得到的加密数据则只有那些在秘保索引值子集合G中元素所绑定的用户才有权限解密数据,其余客户则不能解密数据。比如:对于一个合法的用户,当他付费购买或者通过其它合法途径得到了使用某一数字资源的权限时,可将该用户的用户特征信息与已加密的该数字资源内所含的具有相关权限的某一个秘保索引值相对应。也就是说,只有该用户,用其自己的用户特征信息打开其秘保通道,才可能对加密的数字资源正确解密。用户的秘保通道是硬件逻辑线路级别的(如与特定的数字逻辑电路绑定),能够极大提高了对数字资源使用上的保护和安全性。In another embodiment of the present invention, the digital resource protection device 100 can further provide an authorization mechanism for encrypted digital resources, so as to be applied in the issuance of digital resources. In the embodiment of the present invention, N secret security index values can be bound with N specific users in advance, and the digital logic control module 102 can combine a subset G of the N secret security index values configured by the configuration module 101 with the above-mentioned numbers The resource is used as the input parameter of the digital logic circuit above, and the above digital resource is logically encrypted through the above digital logic circuit, and the encrypted data obtained is only authorized to decrypt the data by those users bound to the elements in the secret security index value subset G , other clients cannot decrypt the data. For example: for a legal user, when he pays for the purchase or obtains the right to use a certain digital resource through other legal channels, the user's user characteristic information can be associated with the encrypted digital resource with relevant rights. Corresponds to a secret security index value of . That is to say, only the user who uses his own user characteristic information to open his secret protection channel can correctly decrypt the encrypted digital resources. The user's secret protection channel is at the level of hardware logic circuit (such as binding with a specific digital logic circuit), which can greatly improve the protection and security of the use of digital resources.

如图2所示,在图1所示的数字资源保护设备100的基础上,数字资源保护设备200还包括:As shown in FIG. 2, on the basis of the digital resource protection device 100 shown in FIG. 1, the digital resource protection device 200 further includes:

特征采集模块103,用于采集注册用户的用户特征信息;Feature collection module 103, for collecting user feature information of registered users;

为便于理解和描述,本发明实施例中将获得使用该数字资源的权限的用户称为注册用户,首先由特征采集模块103采集注册用户的用户特征信息。用户特征信息包括如下信息中的任意一项或者任意两项以上的组合信息:终端标识,指定手势信息,用户生物特征信息以及用户输入字符。其中,上述终端标识用于指示注册用户在以后使用上述数字资源时所使用的终端(为便于描述,下面将注册用户在以后使用上述数字资源时所使用的终端称为授权终端);指定手势信息的采集需要授权终端具有触感功能,则注册用户可以利用授权终端的触感功能输入指定手势,以便特征采集模块103采集指定手势信息;上述用户生物特征信息需要授权终端具有生物特征读取功能,用户生物特征例如可以是人脸、瞳孔或指纹等。For the convenience of understanding and description, in the embodiment of the present invention, the user who obtains the authority to use the digital resource is called a registered user, and the user feature information of the registered user is firstly collected by the feature collection module 103 . The user characteristic information includes any one of the following information or a combination of any two or more pieces of information: terminal identification, specified gesture information, user biometric information, and user input characters. Among them, the above-mentioned terminal identification is used to indicate the terminal used by the registered user to use the above-mentioned digital resources in the future (for the convenience of description, the terminal used by the registered user to use the above-mentioned digital resources in the future is referred to as an authorized terminal); the specified gesture information The acquisition of the authorized terminal requires that the authorized terminal has a touch function, and the registered user can use the touch function of the authorized terminal to input a specified gesture, so that the feature collection module 103 can collect the specified gesture information; Features can be, for example, human face, pupils, or fingerprints.

授权模块104,用于将特征采集模块103得到的上述注册用户的用户特征信息与上述N个秘保索引值中的一个秘保索引值进行绑定,以生成上述注册用户的授权信息,授权信息包含了注册用户的用户特征信息与一个秘保索引值的绑定关系信息。The authorization module 104 is used to bind the user characteristic information of the above-mentioned registered user obtained by the feature collection module 103 with one of the above-mentioned N secret protection index values, so as to generate the authorization information of the above-mentioned registered user, the authorization information Contains the binding relationship information between the user characteristic information of the registered user and a secret security index value.

本发明实施例中,为便于管理,一个秘保索引值仅分配给一个注册用户使用,则授权模块从上述N个秘保索引值中选取一个未分配的秘保索引值,将该秘保索引值与上述注册用户的用户特征信息进行绑定,即而生成上述注册用户的授权信息。在一种实现方式中,生成的该注册用户的授权信息具体为,用户特征信息与秘保索引值异或后的值,即其中,F是指用户特征信息,Aindex1是指秘保索引值。当然,授权模块104也可以通过其它方式将该秘保索引值与上述注册用户的用户特征信息进行绑定,此处不作限定。当然,在某些场景下,一个秘保索引值也可以分配给多个注册用户使用,此处不作限定。In the embodiment of the present invention, for the convenience of management, a secret security index value is assigned to only one registered user, and then the authorization module selects an unassigned secret security index value from the above N secret security index values, and the secret security index The value is bound with the user characteristic information of the above-mentioned registered user, that is, the authorization information of the above-mentioned registered user is generated. In an implementation manner, the generated authorization information of the registered user is specifically the value obtained by XORing the user characteristic information and the secret security index value, that is, Among them, F refers to user characteristic information, and Aindex1 refers to a secret security index value. Of course, the authorization module 104 can also bind the secret security index value with the above-mentioned user characteristic information of the registered user in other ways, which is not limited here. Of course, in some scenarios, a secret security index value can also be assigned to multiple registered users, which is not limited here.

发送模块105,用于将上述注册用户的授权信息发送给上述注册用户,以便上述注册用户通过输入用户特征信息,结合上述注册用户的授权信息得到与上述用户绑定的秘保索引值,利用该秘保索引值和上述数字逻辑电路解密使用上述数字资源。The sending module 105 is configured to send the authorization information of the above-mentioned registered user to the above-mentioned registered user, so that the above-mentioned registered user obtains the secret security index value bound to the above-mentioned user by inputting the user characteristic information and combining the authorization information of the above-mentioned registered user. The secret security index value and the decryption of the above-mentioned digital logic circuit use the above-mentioned digital resources.

本发明实施例中,当注册用户得到来自发送模块105的授权信息时,由于授权信息中包含了注册用户特征信息与一个秘保索引值的绑定关系信息,因此,需要注册用户再次输入与上述用户特征信息一致的用户特征信息,以便注册终端根据用户再次输入的用户特征信息和上述授权信息得到上述注册用户的秘保索引值,利用该秘保索引值,并使用与数字逻辑控制模块102相同的数字逻辑电路解密上述数字资源。举例说明,假设上述授权信息为用户特征信息F与秘保索引值Aindex1异或后的值,即F=0111001,Aindex1=1010001,则授权信息的值此时,若用户再次输入的用户特征信息为F,则将用户输入的用户特征信息F和U1进行异或,即可得到Aindex1,如在实际应用中,由于注册终端每次采集到的用户特征信息可能并不完全相同,例如对于用户指定手势和用户生物特征信息,采样点的些许变化都会使最终采集到的用户特征信息发生变化,例如,当用户获取到授权信息时,其再次输入的用户特征信息可能为F’,因此,本发明实施还提供了容错纠错机制,通过设置纠错码(ECC,ErrorCorrectionCode),使得用户特征信息中的一项信息的值或者多项信息组合的值在预定变化范围视为同一值,即当注册用户输入的用户特征信息在一定的适应范围内都认为是同一用户特性信息。举例说明,假设设置了纠错码ECC,则可以令若注册用户输入的用户特征信息F’在上述适应范围内,则由即可得到F,若注册用户输入的用户特征信息F’不在上述适应范围内,则由无法得到F。In the embodiment of the present invention, when the registered user obtains the authorization information from the sending module 105, because the authorization information includes the binding relationship information between the registered user characteristic information and a secret security index value, the registered user needs to re-enter the above-mentioned User characteristic information consistent with user characteristic information, so that the registration terminal obtains the secret security index value of the above-mentioned registered user according to the user characteristic information input again by the user and the above-mentioned authorization information, uses the secret security index value, and uses the same as the digital logic control module 102 The digital logic circuit decrypts the aforementioned digital resources. For example, assuming that the above authorization information is the XOR value of the user characteristic information F and the secret security index value Aindex1, that is F=0111001, Aindex1=1010001, then the value of authorization information At this time, if the user characteristic information input by the user is F again, then XOR the user characteristic information F and U1 input by the user to obtain Aindex1, as In practical applications, since the user feature information collected by the registration terminal may not be exactly the same each time, for example, for user-specified gestures and user biometric information, a slight change in the sampling point will change the final collected user feature information. For example, when the user obtains the authorization information, the user characteristic information re-input may be F'. Therefore, the implementation of the present invention also provides an error-tolerant error correction mechanism, by setting an error correction code (ECC, ErrorCorrectionCode), so that the user characteristic information The value of one piece of information or the value of a combination of multiple pieces of information is regarded as the same value within a predetermined range of variation, that is, when the user characteristic information input by a registered user is within a certain range of adaptation, they are all considered to be the same user characteristic information. For example, assuming that the error correction code ECC is set, you can make If the user characteristic information F' input by the registered user is within the above-mentioned adaptation range, then by F can be obtained. If the user characteristic information F' input by the registered user is not within the above adaptation range, then by Can't get an F.

进一步,本发明实施例还提供一种细分控制机制:Further, the embodiment of the present invention also provides a subdivision control mechanism:

在一种实现方式中,在上述N个秘保索引值中存在至少一个配置有第一响应向量值的第一秘保索引值,上述第一响应向量值用于控制与上述第一秘保索引值绑定的注册用户使用上述数字资源的次数。上述第一响应向量值随着注册用户使用上述数字资源的次数的增加而改变,且使得在注册用户使用上述数字的次数到达预设门限值时,当前第一响应向量值正好使第一秘保索引值失效或者使第一秘保索引值与该注册用户的用户特征信息的绑定失效。例如,假设令第一响应向量值为0时,第一秘保索引值失效或者使第一秘保索引值与该注册用户的用户特征信息的绑定失效,则若数字资源保护设备100只允许该注册用户使用50次上述数字资源,则可设置上述第一响应向量值为50,则注册用户使用一次上述数字时,第一响应向量值相应减一。In an implementation manner, there is at least one first secret index value configured with a first response vector value among the above N secret index values, and the first response vector value is used to control and communicate with the first secret index value. The number of times the registered user bound to the value uses the above digital resources. The value of the above-mentioned first response vector changes as the number of times the registered user uses the above-mentioned digital resource increases, so that when the number of times the registered user uses the above-mentioned digital resource reaches the preset threshold value, the current first response vector value just makes the first secret The security index value is invalidated or the binding between the first secret security index value and the user characteristic information of the registered user is invalidated. For example, assuming that when the value of the first response vector is set to 0, the first secret index value becomes invalid or the binding between the first secret index value and the user characteristic information of the registered user becomes invalid, then if the digital resource protection device 100 only allows If the registered user uses the digital resource 50 times, the value of the first response vector can be set to 50, and when the registered user uses the digital resource once, the value of the first response vector will be reduced by one.

在另一种实现方式中,在N个秘保索引值中存在至少一个配置有第二响应向量值的第二秘保索引值,上述第二响应向量值用于限制与上述第二秘保索引值绑定的注册用户使用上述数字资源的时间段。上述第二响应向量值随时间的变化而改变,或者上述第二响应向量值可以在当前时间落在规定的时间段时保持不变,仅在当前时间不在规定的时间段时变化为使第一秘保索引值失效或者使第一秘保索引值与该注册用户的用户特征信息的绑定失效的值。例如,假设令第一响应向量值为0时,第一秘保索引值失效或者使第一秘保索引值与该注册用户的用户特征信息的绑定失效,则若数字资源保护设备100只允许该注册用户在T时间段内使用上述数字资源,则可设置上述第二响应向量值为T,在当前时间在T时段内时,第二响应向量值是不为0的值,在当前时间不在T时段内时,使第二响应向量值变为0。In another implementation, there is at least one second secret index value configured with a second response vector value among the N secret index values, and the second response vector value is used to limit the The time period during which the registered user bound to the value uses the above digital resources. The above-mentioned second response vector value changes with time, or the above-mentioned second response vector value can remain unchanged when the current time falls within the specified time period, and only change so that the first The secret security index value is invalid or the value that invalidates the binding between the first secret security index value and the user characteristic information of the registered user. For example, assuming that when the value of the first response vector is set to 0, the first secret index value becomes invalid or the binding between the first secret index value and the user characteristic information of the registered user becomes invalid, then if the digital resource protection device 100 only allows If the registered user uses the above-mentioned digital resources within the T time period, the above-mentioned second response vector value can be set to T. When the current time is within the T time period, the second response vector value is a value other than 0. When within the T period, the value of the second response vector is changed to 0.

在再一种实现方式中,在N个秘保索引值中存在至少一个配置有第三响应向量值的第三秘保索引值,上述第三响应向量值用于限制与上述第三秘保索引值绑定的注册用户使用上述数字资源时应使用的电子设备(如限制使用上述数字资源时应使用的电子设备类型、电子设备型号或者具体的某一个特定的电子设备等)。In yet another implementation, there is at least one third secret index value configured with a third response vector value among the N secret index values, and the third response vector value is used to limit the relationship with the third secret index value. The electronic equipment that the value-bound registered user should use when using the above-mentioned digital resources (such as the type of electronic equipment, electronic equipment model, or a specific electronic equipment that should be used when restricting the use of the above-mentioned digital resources).

在再一种实现方式中,在N个秘保索引值中存在至少一个配置有第四响应向量值的第四秘保索引值,上述第四响应向量值用于限制与上述第四秘保索引值绑定的注册用户使用上述数字资源时应处于的物理位置。In yet another implementation, there is at least one fourth secret index value configured with a fourth response vector value among the N secret index values, and the fourth response vector value is used to limit the The physical location where the registered user bound by the value should be when using the above digital resources.

当然,本发明实施例也可以在秘保索引值上配置其它响应向量值,用以对注册用户使用上述数字资源的其它权限进行控制,此处不作限定。Of course, in the embodiment of the present invention, other response vector values may also be configured on the secret security index value to control other rights of registered users to use the above-mentioned digital resources, which is not limited here.

进一步,考虑到上述数字资源的流通性,拥有使用上述数字资源的用户群可能会发现变化,如注册用户将其购买的数字资源转让给其它用户使用,或者,注册用户购买的数字资源的使用次数或者使用期限到期等情况,在上述情况下,将使得注册用户失效,因此,数字保护装置100还包括:Further, considering the circulation of the above-mentioned digital resources, the user groups who own and use the above-mentioned digital resources may find changes, such as the transfer of the digital resources purchased by registered users to other users, or the number of times the digital resources purchased by registered users are used Or the expiration of the use period, etc., in the above cases, the registered user will be invalidated. Therefore, the digital protection device 100 also includes:

注销模块,用于注销已授权的注册用户,使该已授权的注册用户无法解密上述数字资源。具体地,注册模块可以但不限于通过如下方式注销该注册用户:将与该注册用户绑定的秘保索引值失效,或者,解除该注册用户的用户特征信息和已绑定的秘保索引值之间的绑定。The logout module is used to log out the authorized registered user, so that the authorized registered user cannot decrypt the above-mentioned digital resources. Specifically, the registration module may, but is not limited to, cancel the registered user in the following ways: invalidate the secret security index value bound to the registered user, or cancel the user characteristic information of the registered user and the bound secret security index value binding between.

举例说明,对于二级市场中的两个用户F1和F2,F1用户原来有使用权限,F2没有使用权限,假如F1将其购买的数字资源转让给F2使用,则注销模块解除F1的用户特征信息和已绑定的秘保索引值之间的绑定。特征采集模块103获取F2的用户特征信息,授权模块104将F1之前绑定的秘保索引值与F2的用户特征信息进行绑定并生成F2的授权信息,由发送模块105将F2的授权信息发送给F2,从而完成F1和F2之间的使用权限交换,此后,F1无法再使用已交换的数字资源,而F2继承了F1原有的对该数字资源的使用权限。For example, for two users F1 and F2 in the secondary market, the F1 user originally has the use authority, but the F2 does not have the use authority. If F1 transfers the purchased digital resources to F2 for use, the logout module cancels the user characteristic information of F1 Binding with the bound secret security index value. The feature collection module 103 acquires the user feature information of F2, the authorization module 104 binds the secret security index value bound before F1 with the user feature information of F2 and generates the authorization information of F2, and the authorization information of F2 is sent by the sending module 105 To F2, thus completing the exchange of usage rights between F1 and F2, after that, F1 can no longer use the exchanged digital resources, and F2 inherits F1's original usage rights to the digital resources.

本发明实施例还提供了一种数字资源保护方法,下面以数字资源保护设备为描述主体,对本发明实施例中的一种数字资源保护方法进行描述,请参阅图3,包括:The embodiment of the present invention also provides a digital resource protection method. The following describes a digital resource protection method in the embodiment of the present invention with the digital resource protection device as the subject of description. Please refer to FIG. 3 , including:

301、配置与需要加密的数字资源对应的N个秘保索引值,其中,上述N大于0;301. Configure N secret protection index values corresponding to the digital resources that need to be encrypted, wherein the above N is greater than 0;

在本发明实施例中,上述N的取值可以根据上述数字资源的发行量确定例如,N可以等于上述数字资源的发行量,当然,N也可以大于上述数字资源的发行量,此处不作限定。In the embodiment of the present invention, the value of the above-mentioned N can be determined according to the circulation of the above-mentioned digital resources. For example, N can be equal to the circulation of the above-mentioned digital resources. Of course, N can also be greater than the circulation of the above-mentioned digital resources, which is not limited here. .

302、将上述N个秘保索引值中的任意一个或者多个,和上述数字资源作为数字逻辑电路的输入参数,通过上述数字逻辑电路对上述数字资源进行逻辑加密;302. Using any one or more of the above-mentioned N secret protection index values and the above-mentioned digital resources as input parameters of the digital logic circuit, perform logical encryption on the above-mentioned digital resources through the above-mentioned digital logic circuit;

在一种实现方式中,数字资源保护设备中包含数字逻辑电路,数字资源保护设备通过将上述N个秘保索引值中的任意一个和上述数字资源作为上述数字逻辑电路的输入参数,通过上述数字逻辑电路对上述数字资源进行逻辑加密,得到的加密数据可能随着输入的秘保索引值的不同而不同。In one implementation, the digital resource protection device includes a digital logic circuit, and the digital resource protection device uses any one of the above N secret protection index values and the above digital resource as input parameters of the above digital logic circuit, through the above digital The logic circuit performs logical encryption on the above-mentioned digital resources, and the obtained encrypted data may be different according to the input security index value.

在另一种实现方式中,数字逻辑控制模块中包含数字逻辑电路,数字逻辑控制模块可以通过将一个秘保索引值集合和上述数字资源作为上述数字逻辑电路的输入参数,通过上述数字逻辑电路对上述数字资源进行逻辑加密,则得到的加密数据对秘保索引值集合中的每一个秘保索引值都是相同的。这有一个好处,在数字资源的授权分发和传递中,只有一个加密数据,且对所有的权限使用者都是一样的,因此便于控制和提高效率。其中,上述秘保索引值集合包含N个秘保索引值中的M个秘保索引值,其中,M大于1且小于或等于N。In another implementation, the digital logic control module includes a digital logic circuit, and the digital logic control module can use a set of secret index values and the above-mentioned digital resources as input parameters of the above-mentioned digital logic circuit, through the above-mentioned digital logic circuit. When the above digital resources are logically encrypted, the obtained encrypted data is the same for each secret index value in the secret index value set. This has the advantage that in the authorized distribution and delivery of digital resources, there is only one encrypted data, and it is the same for all authorized users, so it is easy to control and improve efficiency. Wherein, the above secret index value set includes M secret index values among N secret index values, wherein M is greater than 1 and less than or equal to N.

需要说明的是,本发明实施例中的数字资源可以是数字媒体(如文字、图形、图像、音频和视频等数字类型中的一种或者多种的结合),计算机软件,电子服务,设备使用权限保护条款等,此处不作限定。It should be noted that the digital resources in the embodiments of the present invention can be digital media (such as text, graphics, images, audio and video and other digital types or a combination of multiple types), computer software, electronic services, equipment used Rights protection terms, etc., are not limited here.

由上可见,本发明实施例中将与需要保密的数字资源对应的秘保索引值作为数字逻辑电路的输入参数,并通过预设的数字逻辑电路(如版权发行人设定的数字逻辑电路)对该数字资源进行逻辑加密,由于不同的数字逻辑电路在输入参数相同的情况下,对相同数据进行加密后得到的结果也不同,因此,即使黑客通过破译手段得到与上述数字资源对应的秘保索引值,也因难以获得加密该数字资源所使用的预设的数字逻辑电路而无法对上述数字资源进行解码和使用,极大提高了对数字资源保护的安全性。It can be seen from the above that in the embodiment of the present invention, the security index value corresponding to the digital resource that needs to be kept secret is used as the input parameter of the digital logic circuit, and the preset digital logic circuit (such as the digital logic circuit set by the copyright issuer) Logically encrypt the digital resources, because different digital logic circuits can obtain different results after encrypting the same data under the same input parameters. Therefore, even if hackers obtain the secret protection corresponding to the above digital resources The index value, because it is difficult to obtain the preset digital logic circuit used to encrypt the digital resource, makes it impossible to decode and use the above digital resource, which greatly improves the security of digital resource protection.

本发明另一实施例还提供了对已加密的数字资源的授权机制,以应用于数字资源的发行中。在本发明实施例中,可以事先将N个秘保索引值和N个特定用户捆绑,数字逻辑控制模块可以通过将配置的N个秘保索引值的一个子集合G和上述数字资源作为上述数字逻辑电路的输入参数,通过上述数字逻辑电路对上述数字资源进行逻辑加密,得到的加密数据则只有那些在秘保索引值子集合G中元素所绑定的用户才有权限解密数据,其余客户则不能解密数据。比如:对于一个合法的用户,当他付费购买或者通过其它合法途径得到了使用某一数字资源的权限时,可将该用户的用户特征信息与已加密的该数字资源内所含的具有相关权限的某一个秘保索引值相对应。也就是说,只有该用户,用其自己的用户特征信息打开其秘保通道,才可能对加密的数字资源正确解密。用户的秘保通道是硬件逻辑线路级别的(如与特定的数字逻辑电路绑定),能够极大提高了对数字资源使用上的保护和安全性。为便于理解和描述,下面将获得使用该数字资源的资格的用户称为注册用户,请参与图4所示,本发明实施例中的数字资源保护方法另一个实施例包括:Another embodiment of the present invention also provides an authorization mechanism for encrypted digital resources, which can be applied in the distribution of digital resources. In the embodiment of the present invention, the N secret security index values can be bundled with N specific users in advance, and the digital logic control module can use a subset G of the configured N secret security index values and the above-mentioned digital resources as the above-mentioned digital resources. The input parameters of the logic circuit are logically encrypted on the above-mentioned digital resources through the above-mentioned digital logic circuit, and the obtained encrypted data is only authorized to decrypt the data by users bound to the elements in the secret security index value subset G, and the rest of the customers are Unable to decrypt data. For example: for a legal user, when he pays for the purchase or obtains the right to use a certain digital resource through other legal channels, the user's user characteristic information can be associated with the encrypted digital resource with relevant rights. Corresponds to a secret security index value of . That is to say, only the user who uses his own user characteristic information to open his secret protection channel can correctly decrypt the encrypted digital resources. The user's secret protection channel is at the level of hardware logic circuit (such as binding with a specific digital logic circuit), which can greatly improve the protection and security of the use of digital resources. For ease of understanding and description, users who are qualified to use the digital resources are referred to as registered users below. Please refer to FIG. 4. Another embodiment of the digital resource protection method in the embodiment of the present invention includes:

步骤401~402与图3所示实例中的步骤301~302类似,可以参照步骤301~302中的具体实现,此处不再赘述。Steps 401 to 402 are similar to steps 301 to 302 in the example shown in FIG. 3 , and reference may be made to the specific implementation in steps 301 to 302 , which will not be repeated here.

403、采集注册用户的用户特征信息;403. Collect user characteristic information of registered users;

首先由数字资源保护设备采集注册用户的用户特征信息。用户特征信息包括如下信息中的任意一项或者任意两项以上的组合信息:终端标识,指定手势信息,用户生物特征信息以及用户输入字符。其中,上述终端标识用于指示注册用户在以后使用上述数字资源时所使用的终端(为便于描述,下面将注册用户在以后使用上述数字资源时所使用的终端称为授权终端);指定手势信息的采集需要授权终端具有触感功能,则注册用户可以利用授权终端的触感功能输入指定手势,以便数字资源保护设备采集指定手势信息;上述用户生物特征信息需要授权终端具有生物特征读取功能,用户生物特征例如可以是人脸、瞳孔或指纹等。Firstly, the digital resource protection device collects the user characteristic information of the registered user. The user characteristic information includes any one of the following information or a combination of any two or more pieces of information: terminal identification, specified gesture information, user biometric information, and user input characters. Among them, the above-mentioned terminal identification is used to indicate the terminal used by the registered user to use the above-mentioned digital resources in the future (for the convenience of description, the terminal used by the registered user to use the above-mentioned digital resources in the future is referred to as an authorized terminal); the specified gesture information The collection of the authorized terminal requires the tactile function of the authorized terminal, and the registered user can use the tactile function of the authorized terminal to input the specified gesture so that the digital resource protection device can collect the specified gesture information; Features can be, for example, human face, pupils, or fingerprints.

404、将上述注册用户的用户特征信息与上述N个秘保索引值中的一个秘保索引值进行绑定,以生成上述注册用户的授权信息;404. Bind the user characteristic information of the above-mentioned registered user with one of the above-mentioned N secret protection index values to generate the authorization information of the above-mentioned registered user;

本发明实施例中,为便于管理,一个秘保索引值仅分配给一个注册用户使用,则授权模块从上述N个秘保索引值中选取一个未分配的秘保索引值,将该秘保索引值与上述注册用户的用户特征信息进行绑定,即而生成上述注册用户的授权信息。在一种实现方式中,生成的该注册用户的授权信息具体为,用户特征信息与秘保索引值异或后的值,即其中,F是指用户特征信息,Aindex1是指秘保索引值。当然,数字资源保护设备也可以通过其它方式将该秘保索引值与上述注册用户的用户特征信息进行绑定,此处不作限定。当然,在某些场景下,一个秘保索引值也可以分配给多个注册用户使用,此处不作限定。In the embodiment of the present invention, for the convenience of management, a secret security index value is assigned to only one registered user, and then the authorization module selects an unassigned secret security index value from the above N secret security index values, and the secret security index The value is bound with the user characteristic information of the above-mentioned registered user, that is, the authorization information of the above-mentioned registered user is generated. In an implementation manner, the generated authorization information of the registered user is specifically the value obtained by XORing the user characteristic information and the secret security index value, that is, Among them, F refers to user characteristic information, and Aindex1 refers to a secret security index value. Of course, the digital resource protection device can also bind the secret protection index value with the user characteristic information of the registered user in other ways, which is not limited here. Of course, in some scenarios, a secret security index value can also be assigned to multiple registered users, which is not limited here.

405、将上述注册用户的授权信息发送给上述注册用户,以便上述注册用户根据上述注册用户的授权信息以及上述注册用户输入的用户特征信息得到与上述注册用户绑定的秘保索引值,利用该秘保索引值和上述数字逻辑电路解密上述数字资源。405. Send the authorization information of the above-mentioned registered user to the above-mentioned registered user, so that the above-mentioned registered user can obtain the secret security index value bound to the above-mentioned registered user according to the above-mentioned authorized information of the above-mentioned registered user and the user characteristic information input by the above-mentioned registered user, and use this The secret security index value and the above digital logic circuit decrypt the above digital resource.

本发明实施例中,当注册用户得到来自数字资源保护设备的授权信息时,由于授权信息中包含了注册用户特征信息与一个秘保索引值的绑定关系信息,因此,需要注册用户再次输入与上述用户特征信息一致的用户特征信息,以便注册终端根据用户再次输入的用户特征信息和上述授权信息得到上述注册用户的秘保索引值,利用该秘保索引值,并使用与数字逻辑控制模块102相同的数字逻辑电路解密上述数字资源。上述举例说明,假设上述授权信息为用户特征信息F与秘保索引值Aindex1异或后的值,即F=0111001,Aindex1=1010001,则授权信息的值此时,若用户再次输入的用户特征信息为F,则将用户输入的用户特征信息F和U1进行异或,即可得到Aindex1,如在实际应用中,由于注册终端每次采集到的用户特征信息可能并不完全相同,例如对于用户指定手势和用户生物特征信息,采样点的些许变化都会使最终采集到的用户特征信息发生变化,例如,当用户获取到授权信息时,其再次输入的用户特征信息可能为F’,因此,本发明实施还提供了容错纠错机制,通过设置ECC,使得用户特征信息中的一项信息的值或者多项信息组合的值在预定变化范围视为同一,即当注册用户输入的用户特征信息在一定的适应范围内都认为是同一用户特性信息。举例说明,假设设置了纠错码ECC,则可以令若注册用户输入的用户特征信息F’在上述适应范围内,则由 即可得到F,若注册用户输入的用户特征信息F’不在上述适应范围内,则由无法得到F。In the embodiment of the present invention, when the registered user obtains the authorization information from the digital resource protection device, since the authorization information includes the binding relationship information between the registered user characteristic information and a secret security index value, the registered user needs to input the User characteristic information consistent with the above user characteristic information, so that the registration terminal obtains the secret security index value of the above registered user according to the user characteristic information input again by the user and the above authorization information, uses the secret security index value, and uses the digital logic control module 102 The same digital logic circuit decrypts the aforementioned digital resources. The above examples illustrate, assuming that the above authorization information is the XOR value of the user characteristic information F and the secret security index value Aindex1, that is F=0111001, Aindex1=1010001, then the value of authorization information At this time, if the user characteristic information input by the user is F again, then XOR the user characteristic information F and U1 input by the user to obtain Aindex1, as In practical applications, since the user feature information collected by the registration terminal may not be exactly the same each time, for example, for user-specified gestures and user biometric information, a slight change in the sampling point will change the final collected user feature information. For example, when the user obtains the authorization information, the user characteristic information re-input may be F'. Therefore, the implementation of the present invention also provides an error-tolerant error correction mechanism. By setting the ECC, the value of an item of information in the user characteristic information Or the values of multiple information combinations are considered to be the same within a predetermined variation range, that is, when the user characteristic information input by the registered user is within a certain adaptable range, they are all considered to be the same user characteristic information. For example, assuming that the error correction code ECC is set, you can make If the user characteristic information F' input by the registered user is within the above-mentioned adaptation range, then by F can be obtained. If the user characteristic information F' input by the registered user is not within the above adaptation range, then by Can't get an F.

进一步,本发明实施例还提供一种细分控制机制:Further, the embodiment of the present invention also provides a subdivision control mechanism:

在一种实现方式中,在上述N个秘保索引值中存在至少一个配置有第一响应向量值的第一秘保索引值,上述第一响应向量值用于控制与上述第一秘保索引值绑定的注册用户使用上述数字资源的次数。上述第一响应向量值随着注册用户使用上述数字资源的次数的增加而改变,且使得在注册用户使用上述数字的次数到达预设门限值时,当前第一响应向量值正好使第一秘保索引值失效或者使第一秘保索引值与该注册用户的用户特征信息的绑定失效。例如,假设令第一响应向量值为0时,第一秘保索引值失效或者使第一秘保索引值与该注册用户的用户特征信息的绑定失效,则若数字资源保护设备100只允许该注册用户使用50次上述数字资源,则可设置上述第一响应向量值为50,则注册用户使用一次上述数字时,第一响应向量值相应减一。In an implementation manner, there is at least one first secret index value configured with a first response vector value among the above N secret index values, and the first response vector value is used to control and communicate with the first secret index value. The number of times the registered user bound to the value uses the above digital resources. The value of the above-mentioned first response vector changes as the number of times the registered user uses the above-mentioned digital resource increases, so that when the number of times the registered user uses the above-mentioned digital resource reaches the preset threshold value, the current first response vector value just makes the first secret The security index value is invalidated or the binding between the first secret security index value and the user characteristic information of the registered user is invalidated. For example, assuming that when the value of the first response vector is set to 0, the first secret index value becomes invalid or the binding between the first secret index value and the user characteristic information of the registered user becomes invalid, then if the digital resource protection device 100 only allows If the registered user uses the digital resource 50 times, the value of the first response vector can be set to 50, and when the registered user uses the digital resource once, the value of the first response vector will be reduced by one.

在另一种实现方式中,在N个秘保索引值中存在至少一个配置有第二响应向量值的第二秘保索引值,上述第二响应向量值用于限制与上述第二秘保索引值绑定的注册用户使用上述数字资源的时间段。上述第二响应向量值随时间的变化而改变,或者上述第二响应向量值可以在当前时间落在规定的时间段时保持不变,仅在当前时间不在规定的时间段时变化为使第一秘保索引值失效或者使第一秘保索引值与该注册用户的用户特征信息的绑定失效的值。例如,假设令第一响应向量值为0时,第一秘保索引值失效或者使第一秘保索引值与该注册用户的用户特征信息的绑定失效,则若数字资源保护设备100只允许该注册用户在T时间段内使用上述数字资源,则可设置上述第二响应向量值为T,在当前时间在T时段内时,第二响应向量值是不为0的值,在当前时间不在T时段内时,使第二响应向量值变为0。In another implementation, there is at least one second secret index value configured with a second response vector value among the N secret index values, and the second response vector value is used to limit the The time period during which the registered user bound to the value uses the above digital resources. The above-mentioned second response vector value changes with time, or the above-mentioned second response vector value can remain unchanged when the current time falls within the specified time period, and only change so that the first The secret security index value is invalid or the value that invalidates the binding between the first secret security index value and the user characteristic information of the registered user. For example, assuming that when the value of the first response vector is set to 0, the first secret index value becomes invalid or the binding between the first secret index value and the user characteristic information of the registered user becomes invalid, then if the digital resource protection device 100 only allows If the registered user uses the above-mentioned digital resources within the T time period, the above-mentioned second response vector value can be set to T. When the current time is within the T time period, the second response vector value is a value other than 0. When within the T period, the value of the second response vector is changed to 0.

在再一种实现方式中,在N个秘保索引值中存在至少一个配置有第三响应向量值的第三秘保索引值,上述第三响应向量值用于限制与上述第三秘保索引值绑定的注册用户使用上述数字资源时应使用的电子设备(如限制使用上述数字资源时应使用的电子设备类型、电子设备型号或者具体的某一个特定的电子设备等)。In yet another implementation, there is at least one third secret index value configured with a third response vector value among the N secret index values, and the third response vector value is used to limit the relationship with the third secret index value. The electronic equipment that the value-bound registered user should use when using the above-mentioned digital resources (such as the type of electronic equipment, electronic equipment model, or a specific electronic equipment that should be used when restricting the use of the above-mentioned digital resources).

在再一种实现方式中,在N个秘保索引值中存在至少一个配置有第四响应向量值的第四秘保索引值,上述第四响应向量值用于限制与上述第四秘保索引值绑定的注册用户使用上述数字资源时应处于的物理位置。In yet another implementation, there is at least one fourth secret index value configured with a fourth response vector value among the N secret index values, and the fourth response vector value is used to limit the The physical location where the registered user bound by the value should be when using the above digital resources.

当然,本发明实施例也可以在秘保索引值上配置其它响应向量值,用以对注册用户使用上述数字资源的其它权限进行控制,此处不作限定。Of course, in the embodiment of the present invention, other response vector values may also be configured on the secret security index value to control other rights of registered users to use the above-mentioned digital resources, which is not limited here.

进一步,考虑到上述数字资源的流通性,拥有使用上述数字资源的用户群可能会发现变化,如注册用户将其购买的数字资源转让给其它用户使用,或者,注册用户购买的数字资源的使用次数或者使用期限到期等情况,在上述情况下,将使得注册用户失效。因此,本发明实施例的数字资源保护方法还包括:注销已授权的注册用户,使上述已授权的注册用户无法解密上述数字资源。具体地,数字资源保护设备可以但不限于通过如下方式注销该注册用户:将与该注册用户绑定的秘保索引值失效,或者,解除该注册用户的用户特征信息和已绑定的秘保索引值之间的绑定。Further, considering the circulation of the above-mentioned digital resources, the user groups who own and use the above-mentioned digital resources may find changes, such as the transfer of the digital resources purchased by registered users to other users, or the number of times the digital resources purchased by registered users are used Or the expiration of the use period, etc., in the above cases, the registered user will be invalidated. Therefore, the digital resource protection method in the embodiment of the present invention further includes: canceling the authorized registered user, so that the authorized registered user cannot decrypt the above digital resource. Specifically, the digital resource protection device may, but is not limited to, cancel the registered user in the following manner: invalidate the secret security index value bound to the registered user, or release the user characteristic information of the registered user and the bound secret security index value. Bindings between indexed values.

举例说明,对于二级市场中的两个用户F1和F2,F1用户原来有使用权限,F2没有使用权限,假如F1将其购买的数字资源转让给F2使用,则注销模块解除F1的用户特征信息和已绑定的秘保索引值之间的绑定。特征采集模块103获取F2的用户特征信息,授权模块104将F1之前绑定的秘保索引值与F2的用户特征信息进行绑定并生成F2的授权信息,由发送模块105将F2的授权信息发送给F2,从而完成F1和F2之间的使用权限交换,此后,F1无法再使用已交换的数字资源,而F2继承了F1原有的对该数字资源的使用权限。For example, for two users F1 and F2 in the secondary market, the F1 user originally has the use authority, but the F2 does not have the use authority. If F1 transfers the purchased digital resources to F2 for use, the logout module cancels the user characteristic information of F1 Binding with the bound secret security index value. The feature collection module 103 acquires the user feature information of F2, the authorization module 104 binds the secret security index value bound before F1 with the user feature information of F2 and generates the authorization information of F2, and the authorization information of F2 is sent by the sending module 105 To F2, thus completing the exchange of usage rights between F1 and F2, after that, F1 can no longer use the exchanged digital resources, and F2 inherits F1's original usage rights to the digital resources.

需要说明的是,本发明实施例中的数字资源可以是数字媒体(如文字、图形、图像、音频和视频等数字类型中的一种或者多种的结合),计算机软件,电子服务,设备使用权限保护条款等,此处不作限定。It should be noted that the digital resources in the embodiments of the present invention can be digital media (such as text, graphics, images, audio and video and other digital types or a combination of multiple types), computer software, electronic services, equipment used Rights protection terms, etc., are not limited here.

需要说明的是,本发明实施例中的数字资源保护方法可以应用于如上述装置实施例中的数字资源保护设备,可以用于实现上述装置实施例中的全部技术方案,上述装置实施例中的各个功能模块的功能可以参照本方法实施例中的方法具体实现,其具体实现过程可参照本方法实施例中的相关描述,此处不再赘述。It should be noted that the digital resource protection method in the embodiment of the present invention can be applied to the digital resource protection device in the above-mentioned device embodiment, and can be used to realize all the technical solutions in the above-mentioned device embodiment. The functions of each functional module can be specifically realized by referring to the method in this method embodiment, and the specific implementation process can refer to the relevant description in this method embodiment, and will not be repeated here.

由上可见,本发明实施例中将与需要保密的数字资源对应的秘保索引值作为数字逻辑电路的输入参数,并通过预设的数字逻辑电路(如版权发行人设定的数字逻辑电路)对该数字资源进行逻辑加密,由于不同的数字逻辑电路在输入参数相同的情况下,对相同数据进行加密后得到的结果也不同,因此,即使黑客通过破译手段得到与上述数字资源对应的秘保索引值,也因难以获得加密该数字资源所使用的预设的数字逻辑电路而无法对上述数字资源进行解码和使用,极大提高了对数字资源保护的安全性。It can be seen from the above that in the embodiment of the present invention, the security index value corresponding to the digital resource that needs to be kept secret is used as the input parameter of the digital logic circuit, and the preset digital logic circuit (such as the digital logic circuit set by the copyright issuer) Logically encrypt the digital resources, because different digital logic circuits can obtain different results after encrypting the same data under the same input parameters. Therefore, even if hackers obtain the secret protection corresponding to the above digital resources The index value, because it is difficult to obtain the preset digital logic circuit used to encrypt the digital resource, makes it impossible to decode and use the above digital resource, which greatly improves the security of digital resource protection.

本发明实施例还提供了一种数字资源使用设备,如图5所示,本发明实施例中的数字资源使用设备500,包括:The embodiment of the present invention also provides a device for using digital resources. As shown in FIG. 5, the device 500 for using digital resources in the embodiment of the present invention includes:

获取模块501,用于获取注册用户的授权信息,其中,上述授权信息为数字资源保护设备将上述注册用户的用户特征信息与N个秘保索引值中的一个秘保索引值进行绑定生成;The obtaining module 501 is used to obtain the authorization information of the registered user, wherein the authorization information is generated by binding the user characteristic information of the registered user with one of the N secret protection index values by the digital resource protection device;

本发明实施例中,上述数字资源保护设备将上述N个秘保索引值中的任意一个或者多个,和数字资源作为预设的数字逻辑电路的输入参数,通过预设的数字逻辑电路对上述数字资源进行逻辑加密,其中,上述N大于0。当注册用户获得数字资源保护设备的授权之后,数字资源保护设备将生成的该注册用户的授权信息发送给该注册用户,以便获取模块501获取该注册用户的授权信息。In the embodiment of the present invention, the above-mentioned digital resource protection device uses any one or more of the above-mentioned N secret protection index values and digital resources as the input parameters of the preset digital logic circuit, and uses the preset digital logic circuit to control the above-mentioned Digital resources are logically encrypted, wherein the above N is greater than 0. After the registered user obtains the authorization of the digital resource protection device, the digital resource protection device sends the generated authorization information of the registered user to the registered user, so that the obtaining module 501 obtains the authorization information of the registered user.

第一特征采集模块502,用于采集上述注册用户输入的用户特征信息;The first feature collection module 502 is configured to collect the user feature information input by the above-mentioned registered user;

本发明实施例中的用户特征信息包括如下信息中的任意一项或者任意两项以上的组合信息:终端标识,指定手势信息,用户生物特征信息以及用户输入字符。其中,上述终端标识用于指示数字资源使用设备500;指定手势信息的采集需要数字资源使用设备500具有触感功能,则注册用户可以利用数字资源使用设备500的触感功能输入指定手势,以便第一特征采集模块502采集指定手势信息;上述用户生物特征信息需要数字资源使用设备500具有生物特征读取功能,用户生物特征例如可以是人脸、瞳孔或指纹等。需要说明的是,本发明实施例中第一特征采集模块502采集的用户特征信息与该注册用户在获取数字资源保护设备的授权时提供的用户特征信息一致。在实际应用中,由于第一特征采集模块502每次采集到的用户特征信息可能并不完全相同,例如对于用户指定手势和用户生物特征信息,采样点的些许变化都会使最终采集到的用户特征信息发生变化,例如,当用户获取到授权信息时,其再次输入的用户特征信息可能为F’,因此,本发明实施还提供了容错纠错机制,通过设置ECC,使得用户特征信息中的一项信息的值或者多项信息组合的值在预定变化范围视为同一值,即当第一特征采集模块502采集到的用户特征信息在一定的适应范围内都认为是同一用户特性信息。举例说明,假设设置了纠错码ECC,则可以令若第一特征采集模块502采集到的用户特征信息F’在上述适应范围内,则由即可得到F,若第一特征采集模块502采集到的用户特征信息F’不在上述适应范围内,则由 无法得到F。The user characteristic information in the embodiment of the present invention includes any one or a combination of any two or more of the following information: terminal identification, designated gesture information, user biometric information and user input characters. Wherein, the above-mentioned terminal identification is used to indicate the digital resource usage device 500; the collection of specified gesture information requires the digital resource usage device 500 to have a tactile function, and the registered user can use the tactile function of the digital resource usage device 500 to input a specified gesture, so that the first feature The collection module 502 collects specified gesture information; the above-mentioned user biometric information requires that the digital resource usage device 500 has a biometric reading function, and the user biometrics can be, for example, face, pupil, or fingerprint. It should be noted that the user characteristic information collected by the first characteristic collection module 502 in the embodiment of the present invention is consistent with the user characteristic information provided by the registered user when obtaining the authorization of the digital resource protection device. In practical applications, since the user feature information collected by the first feature collection module 502 may not be exactly the same each time, for example, for user-specified gestures and user biometric information, slight changes in sampling points will make the final collected user feature information Information changes, for example, when the user obtains the authorization information, the user characteristic information re-input may be F', therefore, the implementation of the present invention also provides an error-tolerant error correction mechanism, by setting ECC, so that one of the user characteristic information The value of an item of information or the value of a combination of multiple pieces of information is regarded as the same value within a predetermined variation range, that is, when the user characteristic information collected by the first characteristic collection module 502 is considered to be the same user characteristic information within a certain adaptable range. For example, assuming that the error correction code ECC is set, you can make If the user feature information F' collected by the first feature collection module 502 is within the above adaptation range, then by That is, F can be obtained. If the user characteristic information F' collected by the first characteristic collection module 502 is not within the above-mentioned adaptation range, then by Can't get an F.

第一解密模块503,用于根据第一特征采集模块502采集的上述注册用户输入的用户特征信息以及获取模块501获取到的授权信息得到与上述注册用户绑定的秘保索引值;The first decryption module 503 is used to obtain the secret security index value bound to the above-mentioned registered user according to the user characteristic information input by the above-mentioned registered user collected by the first characteristic collection module 502 and the authorization information obtained by the obtaining module 501;

第二解密模块504,用于将第一解密模块503得到的秘保索引值和上述数字资源的加密数据作为上述数字逻辑电路的输入参数,通过上述数字逻辑电路对上述加密数据进行逻辑解密,以得到上述数字资源。The second decryption module 504 is configured to use the secret index value obtained by the first decryption module 503 and the encrypted data of the above-mentioned digital resources as input parameters of the above-mentioned digital logic circuit, and perform logic decryption on the above-mentioned encrypted data through the above-mentioned digital logic circuit, to obtain Get the digital resources above.

进一步,考虑到上述数字资源的流通性,拥有使用上述数字资源的用户群可能会发现变化,如注册用户将其购买的数字资源转让给其它用户使用,因此,数字资源使用设备还包括:Further, considering the circulation of the above-mentioned digital resources, the user groups who own and use the above-mentioned digital resources may find changes, such as registered users transferring the purchased digital resources to other users for use. Therefore, the equipment for using digital resources also includes:

第二特征采集模块,用于采集另一用户的用户特征信息;The second feature collection module is used to collect user feature information of another user;

权限交换模块,用于将第一解密模块503得到的秘保索引值与上述第二特征采集模块采集的另一用户的用户特征信息进行绑定,以生成上述另一用户的授权信息;An authority exchange module, configured to bind the secret security index value obtained by the first decryption module 503 with the user feature information of another user collected by the second feature collection module, so as to generate the authorization information of the other user;

发送模块,用于将上述另一用户的授权信息发送给上述另一用户,以使得上述另一用户获得使用上述数字资源的权限。A sending module, configured to send the authorization information of the other user to the other user, so that the other user obtains the right to use the digital resource.

进一步,上述权限交换模块还用于:注销上述注册用户,使上述注册用户无法解密上述数字资源,即失去对上述数字资源的使用权限。Further, the authority exchange module is also used for: canceling the above-mentioned registered user, so that the above-mentioned registered user cannot decrypt the above-mentioned digital resource, that is, loses the use right of the above-mentioned digital resource.

需要说明的是,本发明实施例中的数字资源可以是数字媒体(如文字、图形、图像、音频和视频等数字类型中的一种或者多种的结合),计算机软件,电子服务,设备使用权限保护条款等,此处不作限定。It should be noted that the digital resources in the embodiments of the present invention can be digital media (such as text, graphics, images, audio and video and other digital types or a combination of multiple types), computer software, electronic services, equipment used Rights protection terms, etc., are not limited here.

由上可见,本发明实施例中将与需要保密的数字资源对应的秘保索引值作为数字逻辑电路的输入参数,并通过预设的数字逻辑电路(如版权发行人设定的数字逻辑电路)对该数字资源进行逻辑加密,由于不同的数字逻辑电路在输入参数相同的情况下,对相同数据进行加密后得到的结果也不同,因此,即使黑客通过破译手段得到与上述数字资源对应的秘保索引值,也因难以获得加密该数字资源所使用的预设的数字逻辑电路而无法对上述数字资源进行解码和使用,唯有获得权限的注册用户通过数字资源使用设备对上述数字资源的加密数据进行解密才可使用上述数字资源,从而极大提高了对数字资源保护的安全性。It can be seen from the above that in the embodiment of the present invention, the security index value corresponding to the digital resource that needs to be kept secret is used as the input parameter of the digital logic circuit, and the preset digital logic circuit (such as the digital logic circuit set by the copyright issuer) Logically encrypt the digital resources, because different digital logic circuits can obtain different results after encrypting the same data under the same input parameters. Therefore, even if hackers obtain the secret protection corresponding to the above digital resources Index value, and because it is difficult to obtain the preset digital logic circuit used to encrypt the digital resource, it is impossible to decode and use the above digital resource. Only authorized registered users can use the digital resource to use the encrypted data of the above digital resource The above-mentioned digital resources can only be used after decryption, thereby greatly improving the security of digital resource protection.

本发明实施例还提供了一种数字资源保护方法,下面以数字资源使用设备为描述主体,对本发明实施例中的一种数字资源保护方法进行描述,请参阅图6,包括:The embodiment of the present invention also provides a digital resource protection method. The following describes a digital resource protection method in the embodiment of the present invention with digital resource use equipment as the main body of description. Please refer to FIG. 6 , including:

601、获取注册用户的授权信息;601. Obtain the authorization information of the registered user;

其中,上述授权信息为数字资源保护设备将上述注册用户的用户特征信息与N个秘保索引值中的一个秘保索引值进行绑定生成。Wherein, the above-mentioned authorization information is generated by the digital resource protection device by binding the user characteristic information of the above-mentioned registered user with one of the N secret-safety index values.

本发明实施例中,上述数字资源保护设备将上述N个秘保索引值中的任意一个或者多个,和数字资源作为预设的数字逻辑电路的输入参数,通过预设的数字逻辑电路对上述数字资源进行逻辑加密,其中,上述N大于0。当注册用户获得数字资源保护设备的授权之后,数字资源保护设备将生成的该注册用户的授权信息发送给该注册用户,以便获取模块501获取该注册用户的授权信息。In the embodiment of the present invention, the above-mentioned digital resource protection device uses any one or more of the above-mentioned N secret protection index values and digital resources as the input parameters of the preset digital logic circuit, and uses the preset digital logic circuit to control the above-mentioned Digital resources are logically encrypted, wherein the above N is greater than 0. After the registered user obtains the authorization of the digital resource protection device, the digital resource protection device sends the generated authorization information of the registered user to the registered user, so that the obtaining module 501 obtains the authorization information of the registered user.

602、采集上述注册用户输入的用户特征信息;602. Collect the user characteristic information input by the registered user;

本发明实施例中的用户特征信息包括如下信息中的任意一项或者任意两项以上的组合信息:终端标识,指定手势信息,用户生物特征信息以及用户输入字符。其中,上述终端标识用于指示数字资源使用设备;指定手势信息的采集需要数字资源使用设备具有触感功能,则注册用户可以利用数字资源使用设备的触感功能输入指定手势,以便数字资源使用设备采集指定手势信息;上述用户生物特征信息需要数字资源使用设备具有生物特征读取功能,用户生物特征例如可以是人脸、瞳孔或指纹等。需要说明的是,本发明实施例中数字资源使用设备采集的用户特征信息与该注册用户在获取数字资源保护设备的授权时提供的用户特征信息一致。在实际应用中,由于数字资源使用设备每次采集到的用户特征信息可能并不完全相同,例如对于用户指定手势和用户生物特征信息,采样点的些许变化都会使最终采集到的用户特征信息发生变化,例如,当用户获取到授权信息时,其再次输入的用户特征信息可能为F’,因此,本发明实施还提供了容错纠错机制,通过设置ECC,使得用户特征信息中的一项信息的值或者多项信息组合的值在预定变化范围视为同一值,即当数字资源使用设备采集到的用户特征信息在一定的适应范围内都认为是同一用户特性信息。举例说明,假设设置了纠错码ECC,则可以令若数字资源使用设备采集到的用户特征信息F’在上述适应范围内,则由即可得到F,若数字资源使用设备采集到的用户特征信息F’不在上述适应范围内,则由无法得到F。The user characteristic information in the embodiment of the present invention includes any one or a combination of any two or more of the following information: terminal identification, designated gesture information, user biometric information and user input characters. Among them, the above-mentioned terminal identification is used to indicate the digital resource use device; the collection of specified gesture information requires the digital resource use device to have a tactile function, and the registered user can use the tactile function of the digital resource use device to input the specified gesture, so that the digital resource use device collects the specified Gesture information; the above-mentioned user biometric information requires that the digital resource usage device has a biometric reading function, and the user biometrics can be, for example, a face, pupil, or fingerprint. It should be noted that the user characteristic information collected by the digital resource utilization device in the embodiment of the present invention is consistent with the user characteristic information provided by the registered user when obtaining the authorization of the digital resource protection device. In practical applications, due to the fact that the user feature information collected by digital resource usage devices may not be exactly the same each time, for example, for user-specified gestures and user biometric information, slight changes in sampling points will cause changes in the final collected user feature information. Changes, for example, when the user obtains the authorization information, the user characteristic information re-input may be F'. Therefore, the implementation of the present invention also provides an error-tolerant error correction mechanism. By setting ECC, one item of user characteristic information The value of the value or the value of a combination of multiple pieces of information is regarded as the same value within a predetermined range of variation, that is, when the user characteristic information collected by the digital resource utilization device is within a certain range of adaptation, it is considered to be the same user characteristic information. For example, assuming that the error correction code ECC is set, you can make If the user characteristic information F' collected by the digital resource usage equipment is within the above-mentioned adaptation range, then by F can be obtained. If the user characteristic information F' collected by the digital resource usage equipment is not within the above-mentioned adaptation range, then by Can't get an F.

603、根据上述采集的上述注册用户输入的用户特征信息以及上述授权信息得到与上述注册用户绑定的秘保索引值。603. Obtain a security index value bound to the registered user according to the collected user characteristic information input by the registered user and the authorization information.

604、将与上述注册用户绑定的秘保索引值和上述数字资源的加密数据作为上述数字逻辑电路的输入参数,通过上述数字逻辑电路对上述加密数据进行逻辑解密,以得到上述数字资源。604. Using the secret index value bound to the registered user and the encrypted data of the digital resource as input parameters of the digital logic circuit, logically decrypt the encrypted data through the digital logic circuit to obtain the digital resource.

进一步,考虑到上述数字资源的流通性,拥有使用上述数字资源的用户群可能会发现变化,如注册用户将其购买的数字资源转让给其它用户使用,因此,本发明实施例中的数字资源保护方法还进一步包括:采集另一用户的用户特征信息;将步骤603得到的秘保索引值与上述采集到的另一用户的用户特征信息进行绑定,以生成上述另一用户的授权信息;将上述另一用户的授权信息发送给上述另一用户,以使得上述另一用户获得使用上述数字资源的权限。进一步,在生成上述另一用户的授权信息之后,数字资源使用设备还可以注销上述注册用户,使上述注册用户无法解密上述数字资源,即失去对上述数字资源的使用权限。Further, considering the circulation of the above-mentioned digital resources, the user groups who own and use the above-mentioned digital resources may find changes, such as registered users transferring the purchased digital resources to other users. Therefore, the protection of digital resources in the embodiment of the present invention The method further includes: collecting user characteristic information of another user; binding the secret security index value obtained in step 603 with the collected user characteristic information of the other user to generate the authorization information of the other user; The authorization information of the other user is sent to the other user, so that the other user obtains the right to use the digital resource. Further, after generating the authorization information of the other user, the digital resource usage device can also cancel the registered user, so that the registered user cannot decrypt the digital resource, that is, loses the right to use the digital resource.

需要说明的是,本发明实施例中的数字资源可以是数字媒体(如文字、图形、图像、音频和视频等数字类型中的一种或者多种的结合),计算机软件,电子服务,设备使用权限保护条款等,此处不作限定。It should be noted that the digital resources in the embodiments of the present invention can be digital media (such as text, graphics, images, audio and video and other digital types or a combination of multiple types), computer software, electronic services, equipment used Rights protection terms, etc., are not limited here.

需要说明的是,本发明实施例中的数字资源保护方法可以应用于如上述装置实施例中的数字资源使用设备,可以用于实现上述装置实施例中的全部技术方案,上述装置实施例中的各个功能模块的功能可以参照本方法实施例中的方法具体实现,其具体实现过程可参照本方法实施例中的相关描述,此处不再赘述。It should be noted that the digital resource protection method in the embodiment of the present invention can be applied to the digital resource utilization device in the above-mentioned device embodiment, and can be used to realize all the technical solutions in the above-mentioned device embodiment. The functions of each functional module can be specifically realized by referring to the method in this method embodiment, and the specific implementation process can refer to the relevant description in this method embodiment, and will not be repeated here.

由上可见,本发明实施例中将与需要保密的数字资源对应的秘保索引值作为数字逻辑电路的输入参数,并通过预设的数字逻辑电路(如版权发行人设定的数字逻辑电路)对该数字资源进行逻辑加密,由于不同的数字逻辑电路在输入参数相同的情况下,对相同数据进行加密后得到的结果也不同,因此,即使黑客通过破译手段得到与上述数字资源对应的秘保索引值,也因难以获得加密该数字资源所使用的预设的数字逻辑电路而无法对上述数字资源进行解码和使用,唯有获得权限的注册用户通过数字资源使用设备对上述数字资源的加密数据进行解密才可使用上述数字资源,从而极大提高了对数字资源保护的安全性。It can be seen from the above that in the embodiment of the present invention, the security index value corresponding to the digital resource that needs to be kept secret is used as the input parameter of the digital logic circuit, and the preset digital logic circuit (such as the digital logic circuit set by the copyright issuer) Logically encrypt the digital resources, because different digital logic circuits can obtain different results after encrypting the same data under the same input parameters. Therefore, even if hackers obtain the secret protection corresponding to the above digital resources Index value, and because it is difficult to obtain the preset digital logic circuit used to encrypt the digital resource, it is impossible to decode and use the above digital resource. Only authorized registered users can use the digital resource to use the encrypted data of the above digital resource The above-mentioned digital resources can only be used after decryption, thereby greatly improving the security of digital resource protection.

在上述实施例中,对各个实施例的描述都各有侧重,某个实施例中没有详述的部分,可以参见其它实施例的相关描述。In the foregoing embodiments, the descriptions of each embodiment have their own emphases, and for parts not described in detail in a certain embodiment, reference may be made to relevant descriptions of other embodiments.

以上对本发明所提供的一种数字资源保护方法及相关装置进行了详细介绍,本文中应用了具体个例对本发明的原理及实施例方式进行了阐述,以上实施例的说明只是用于帮助理解本发明的方法及其核心思想;同时,对于本领域的一般技术人员,依据本发明实施例的思想,在具体实施方式及应用范围上均会有改变之处,综上,本说明书内容不应理解为对本发明的限制。A digital resource protection method and related devices provided by the present invention have been introduced in detail above. In this paper, specific examples are used to illustrate the principles and embodiments of the present invention. The descriptions of the above embodiments are only used to help understand the present invention. The method of the invention and its core idea; at the same time, for those of ordinary skill in the art, according to the idea of the embodiment of the present invention, there will be changes in the specific implementation and scope of application. In summary, the content of this specification should not be understood To limit the present invention.

Claims (22)

1. a digital resource protection equipment, is characterized in that, comprising:
For the configuration module of N number of secret guarantor's index value corresponding to the digital resource configured with need to encrypt, wherein, described N is greater than 0; The number of described secret guarantor's index value is more than or equal to the circulation of described digital resource;
For by any one in described N number of secret guarantor's index value or multiple, with the input parameter of described digital resource as the DLC (digital logic circuit) preset, by described default DLC (digital logic circuit), described digital resource is carried out to the Digital Logic control module of logical encrypt;
Described digital resource protection equipment, also comprises:
Collection apparatus module, for gathering the user's characteristic information of registered user;
Authorization module, binds for secret guarantor's index value in the user's characteristic information of described registered user that described collection apparatus module obtained and described N number of secret guarantor's index value, to generate the authorization message of described registered user;
Sending module, for the authorization message of described registered user is sent to described registered user, so that described registered user is by input user's characteristic information, authorization message in conjunction with described registered user obtains the secret guarantor's index value bound with described registered user, utilizes this secret guarantor's index value and described DLC (digital logic circuit) to decipher described digital resource.
2. digital resource protection equipment according to claim 1, is characterized in that,
There is first secret guarantor's index value that at least one is configured with the first response vector value in described N number of secret guarantor's index value, described first response vector value uses the number of times of described digital resource for the registered user controlling to bind with described first secret guarantor's index value.
3. digital resource protection equipment according to claim 1, is characterized in that,
There is second secret guarantor's index value that at least one is configured with the second response vector value in described N number of secret guarantor's index value, described second response vector value uses the time period of described digital resource for limiting the registered user bound with described second secret guarantor's index value.
4. digital resource protection equipment according to claim 1, is characterized in that,
There is at least one third secretary being configured with the 3rd response vector value in described N number of secret guarantor's index value and protect index value, described 3rd response vector value to be protected the registered user that index value binds use the electronic equipment that should use during described digital resource for being limited with described third secretary.
5. digital resource protection equipment according to claim 1, is characterized in that,
There is the 4th secret guarantor's index value that at least one is configured with the 4th response vector value in described N number of secret guarantor's index value, described 4th response vector value uses the physical location that should be in during described digital resource for limiting the registered user bound with described 4th secret guarantor's index value.
6. the digital resource protection equipment according to any one of claim 1 to 5, is characterized in that,
Described user's characteristic information comprises the combined information of any one in following information or any more than two:
Terminal iidentification, specifies gesture information, user biological characteristic information and user inputs character.
7. digital resource protection equipment according to claim 6, is characterized in that,
The value of an information in described user's characteristic information or the value of multinomial information combination are considered as same value in predetermined variation scope.
8. the digital resource protection equipment according to any one of claim 4 to 5, is characterized in that,
Described digital resource protection equipment, also comprises:
Cancellation module, for nullifying the registered user authorized, the registered user authorized described in making cannot decipher described digital resource.
9. digital resource uses an equipment, it is characterized in that, comprising:
Acquisition module, for obtaining the authorization message of registered user, wherein, described authorization message is that secret guarantor's index value in the user's characteristic information of described registered user and N number of secret guarantor's index value is carried out binding and generates by digital resource protection equipment, described digital resource protection equipment is by any one in described N number of secret guarantor's index value or multiple, with the input parameter of digital resource as the DLC (digital logic circuit) preset, by the DLC (digital logic circuit) preset, logical encrypt is carried out to described digital resource; The number of described secret guarantor's index value is more than or equal to the circulation of described digital resource;
Fisrt feature acquisition module, for gathering the user's characteristic information of described registered user input;
First deciphering module, the authorization message that user's characteristic information and described acquisition module for the described registered user's input according to the collection of described fisrt feature acquisition module get obtains the secret guarantor's index value bound with described registered user;
Second deciphering module, for the enciphered data of secret guarantor's index value that described first deciphering module is obtained and described digital resource as the input parameter of described DLC (digital logic circuit), by described DLC (digital logic circuit), logic deciphering is carried out to described enciphered data, to obtain described digital resource.
10. digital resource according to claim 9 uses equipment, it is characterized in that,
Described digital resource uses equipment, also comprises:
Second feature acquisition module, for gathering the user's characteristic information of another user;
Authority Switching Module, the user's characteristic information for another user of secret guarantor's index value of being obtained by described first deciphering module and the collection of described second feature acquisition module is bound, to generate the authorization message of another user described;
Sending module, for the authorization message of another user described being sent to another user described, obtains to make another user described the authority using described digital resource.
11. digital resources according to claim 10 use equipment, it is characterized in that,
Described authority Switching Module also for: nullify described registered user, make described registered user cannot decipher described digital resource.
12. 1 kinds of digital resource protection method, is characterized in that, comprising:
Configure the N number of secret guarantor index value corresponding with the digital resource needing to encrypt, wherein, described N is greater than 0; The number of described secret guarantor's index value is more than or equal to the circulation of described digital resource;
By any one in described N number of secret guarantor's index value or multiple, and described digital resource is as the input parameter of the DLC (digital logic circuit) preset, and carries out logical encrypt by described default DLC (digital logic circuit) to described digital resource;
Described by DLC (digital logic circuit) described digital resource is encrypted after, also comprise:
Gather the user's characteristic information of registered user;
Secret guarantor's index value in the user's characteristic information of described registered user and described N number of secret guarantor's index value is bound, to generate the authorization message of described registered user;
The authorization message of described registered user is sent to described registered user, so that described registered user obtains the secret guarantor's index value bound with described registered user according to the user's characteristic information that the authorization message of described registered user and described registered user input, this secret guarantor's index value and described DLC (digital logic circuit) is utilized to decipher described digital resource.
13. methods according to claim 12, is characterized in that,
There is first secret guarantor's index value that at least one is configured with the first response vector value in described N number of secret guarantor's index value, described first response vector value uses the number of times of described digital resource for limiting the registered user bound with described first secret guarantor's index value.
14. methods according to claim 12, is characterized in that,
There is second secret guarantor's index value that at least one is configured with the second response vector value in described N number of secret guarantor's index value, described second response vector value uses the time period of described digital resource for limiting the registered user bound with described second secret guarantor's index value.
15. methods according to claim 12, is characterized in that,
There is at least one third secretary being configured with the 3rd response vector value in described N number of secret guarantor's index value and protect index value, described 3rd response vector value to be protected the registered user that index value binds use the electronic equipment that should use during described digital resource for being limited with described third secretary.
16. methods according to claim 13, is characterized in that,
There is the 4th secret guarantor's index value that at least one is configured with the 4th response vector value in described N number of secret guarantor's index value, described 4th response vector value uses the physical location that should be in during described digital resource for limiting the registered user bound with described 4th secret guarantor's index value.
17., according to claim 12 to the method described in 16 any one, is characterized in that, described user's characteristic information comprises the combined information of any one in following information or any more than two:
Terminal iidentification, specifies gesture information, user biological characteristic information and user inputs character.
18. methods according to claim 17, is characterized in that,
The value of an information in described user's characteristic information or the value of multinomial information combination are considered as same value in predetermined variation scope.
19., according to claim 12 to the method described in 16 any one, is characterized in that,
Described method also comprises: nullify the registered user authorized, the registered user authorized described in making cannot decipher described digital resource.
20. 1 kinds of digital resource protection method, is characterized in that, comprising:
Obtain the authorization message of registered user, wherein, described authorization message is that secret guarantor's index value in the user's characteristic information of described registered user and N number of secret guarantor's index value is carried out binding and generates by digital resource protection equipment, described digital resource protection equipment is by any one in described N number of secret guarantor's index value or multiple, with the input parameter of digital resource as the DLC (digital logic circuit) preset, by the DLC (digital logic circuit) preset, logical encrypt is carried out to described digital resource; The number of described secret guarantor's index value is more than or equal to the circulation of described digital resource;
Gather the user's characteristic information of described registered user input;
The user's characteristic information inputted according to the described registered user of described collection and described authorization message obtain the secret guarantor's index value bound with described registered user;
The secret guarantor's index value described and described registered user bound and the enciphered data of described digital resource, as the input parameter of described DLC (digital logic circuit), carry out logic deciphering by described DLC (digital logic circuit) to described enciphered data, to obtain described digital resource.
21. methods according to claim 20, is characterized in that,
Described method also comprises:
Gather the user's characteristic information of another user;
The user's characteristic information of the secret guarantor's index value described and described registered user bound and another user of described collection is bound, to generate the authorization message of another user described;
The authorization message of another user described is sent to another user described, obtain to make another user described the authority using described digital resource.
22. methods according to claim 21, is characterized in that,
The user's characteristic information of another user of described secret guarantor's index value of described and described registered user being bound and described collection is bound, and comprises afterwards:
Nullify described registered user, make described registered user cannot decipher described digital resource.
CN201310043364.3A 2013-02-04 2013-02-04 A digital resource protection method and related device Active CN103077331B (en)

Priority Applications (3)

Application Number Priority Date Filing Date Title
CN201310043364.3A CN103077331B (en) 2013-02-04 2013-02-04 A digital resource protection method and related device
PCT/CN2013/073039 WO2014117428A1 (en) 2013-02-04 2013-03-22 Digital resource protection method and related device
US14/705,219 US10102353B2 (en) 2013-02-04 2015-05-06 Digital resource protection method and apparatus, and digital resource using method and apparatus

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201310043364.3A CN103077331B (en) 2013-02-04 2013-02-04 A digital resource protection method and related device

Publications (2)

Publication Number Publication Date
CN103077331A CN103077331A (en) 2013-05-01
CN103077331B true CN103077331B (en) 2016-03-02

Family

ID=48153860

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201310043364.3A Active CN103077331B (en) 2013-02-04 2013-02-04 A digital resource protection method and related device

Country Status (3)

Country Link
US (1) US10102353B2 (en)
CN (1) CN103077331B (en)
WO (1) WO2014117428A1 (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113747596A (en) * 2018-09-21 2021-12-03 华为技术有限公司 Method and apparatus for wireless scheduling
US12149616B1 (en) * 2023-10-31 2024-11-19 Massood Kamalpour Systems and methods for digital data management including creation of storage location with storage access ID

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1674494A (en) * 2004-03-22 2005-09-28 国际商业机器公司 Multi-key content processing system and method
CN101194460A (en) * 2005-04-07 2008-06-04 松下电器产业株式会社 circuit construction device
CN101196970A (en) * 2007-12-29 2008-06-11 武汉理工大学 Digital Rights Management System Based on Digital Watermark and Mobile Agent
CN101853361A (en) * 2009-04-01 2010-10-06 林伟波 File encryption method
CN101997674A (en) * 2009-08-10 2011-03-30 北京多思科技发展有限公司 Encrypted communication method, encrypted/decrypted communication device, encryption device and decryption device

Family Cites Families (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5490258A (en) * 1991-07-29 1996-02-06 Fenner; Peter R. Associative memory for very large key spaces
US7190788B2 (en) * 2002-09-13 2007-03-13 Intel Corporation Methods and apparatus for encrypting a binary string
US7313236B2 (en) * 2003-04-09 2007-12-25 International Business Machines Corporation Methods and apparatus for secure and adaptive delivery of multimedia content
US20060031873A1 (en) * 2004-08-09 2006-02-09 Comcast Cable Holdings, Llc System and method for reduced hierarchy key management
US7325092B2 (en) * 2005-07-30 2008-01-29 Lsi Corporation Apparatus and methods for a static mux-based priority encoder
US8345315B2 (en) * 2006-06-01 2013-01-01 Advanced Track And Trace Method and device for making documents secure using unique imprint derived from unique marking variations
CN1968107A (en) * 2006-10-09 2007-05-23 祝万昌 A method for transmitting and charging digital media files
US20090067625A1 (en) * 2007-09-07 2009-03-12 Aceurity, Inc. Method for protection of digital rights at points of vulnerability in real time
CN102238135A (en) * 2010-04-26 2011-11-09 许丰 Security authentication server
US8869235B2 (en) * 2011-10-11 2014-10-21 Citrix Systems, Inc. Secure mobile browser for protecting enterprise data
US8750502B2 (en) * 2012-03-22 2014-06-10 Purdue Research Foundation System on chip and method for cryptography using a physically unclonable function
WO2014005286A1 (en) * 2012-07-03 2014-01-09 厦门简帛信息科技有限公司 Digital resources management method and device
US8682796B2 (en) * 2012-08-23 2014-03-25 Sirsi Corporation Digital resource acquisition

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1674494A (en) * 2004-03-22 2005-09-28 国际商业机器公司 Multi-key content processing system and method
CN101194460A (en) * 2005-04-07 2008-06-04 松下电器产业株式会社 circuit construction device
CN101196970A (en) * 2007-12-29 2008-06-11 武汉理工大学 Digital Rights Management System Based on Digital Watermark and Mobile Agent
CN101853361A (en) * 2009-04-01 2010-10-06 林伟波 File encryption method
CN101997674A (en) * 2009-08-10 2011-03-30 北京多思科技发展有限公司 Encrypted communication method, encrypted/decrypted communication device, encryption device and decryption device

Also Published As

Publication number Publication date
CN103077331A (en) 2013-05-01
US10102353B2 (en) 2018-10-16
US20150235012A1 (en) 2015-08-20
WO2014117428A1 (en) 2014-08-07

Similar Documents

Publication Publication Date Title
AU2021203184B2 (en) Transaction messaging
JP6941146B2 (en) Data security service
US12165141B1 (en) Biometrics-based e-signatures for pre-authorization and acceptance transfer
CN110291754B (en) System access using mobile devices
TWI443516B (en) Authorized link content for portable storage devices
JP6678457B2 (en) Data security services
CN101977190B (en) Digital content encryption transmission method and server side
CN103401880B (en) The system and method that a kind of industrial control network logs in automatically
US8806206B2 (en) Cooperation method and system of hardware secure units, and application device
JP7250960B2 (en) User authentication and signature device using user biometrics, and method thereof
CN102769623B (en) Two-factor authentication method based on digital certificate and biological identification information
CN106464488A (en) Information transmission method and mobile device
WO2013002833A2 (en) Binding of cryptographic content using unique device characteristics with server heuristics
CN103236930A (en) Data encryption method and system
CN102801730A (en) Information protection method and device for communication and portable devices
WO2007086015A2 (en) Secure transfer of content ownership
CN103237010B (en) The server end of digital content is cryptographically provided
CN107332666A (en) Terminal document encryption method
CN108199847A (en) Security processing method, computer equipment and storage medium
CN103475474A (en) Method for providing and acquiring shared enciphered data and identity authentication equipment
CN103237011B (en) Digital content encryption transmission method and server end
CN108701200A (en) improved storage system
CN106650372A (en) open method and device of administrator authority
KR20100114321A (en) Digital content transaction-breakdown the method thereof
CN103077331B (en) A digital resource protection method and related device

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant